The European Union's Cyber Resilience Act (CRA) - the bloc's first horizontal cybersecurity law for connected products - has entered its initial enforcement phase, with mandatory obligations taking effect in 2026 that directly affect manufacturers and operators of IoT devices deployed in commercial building automation systems.
Background
The CRA entered into force on 10 December 2024. Its core product security obligations apply from 11 December 2027, with vulnerability reporting obligations taking effect on 11 September 2026. The regulation marks a significant departure from previous voluntary frameworks, aiming to fill gaps and strengthen the EU's cybersecurity legislative framework. It ensures that products with digital components - including IoT products - are secured throughout the supply chain and their full lifecycle.
The CRA applies to all products containing digital components connected to networks or other devices. Its scope includes industrial hardware and software such as IoT devices, programmable logic controllers (PLCs), and sensors - all categories routinely deployed in building management and automation systems. The law classifies products by criticality: critical products require third-party assessments, while non-critical products need only manufacturer self-certification.
Details
Two significant compliance milestones fall in 2026, ahead of the full enforcement deadline of December 2027. From 11 June 2026, Chapter IV provisions on the notification of conformity assessment bodies apply, and Member States must designate notifying authorities responsible for assessing and approving certification bodies. From 11 September 2026, all manufacturers of products with digital elements sold in the EU must report actively exploited vulnerabilities to ENISA and designated national CSIRTs within 24 hours of discovery. This applies to all products shipped to the EU, including IoT devices, OT systems, and embedded systems - and extends to legacy products already on the market.
The security requirements are specific and technical. Devices must be designed and shipped secure by default, incorporating strong authentication, encrypted communications, secure boot, and safe default configurations. Manufacturers must also establish robust processes to identify, track, and remediate vulnerabilities throughout the product lifecycle, including maintaining a Software Bill of Materials (SBOM). ENISA must be notified within 24 hours of a manufacturer becoming aware of a significant cybersecurity incident.
Non-compliance carries material consequences. Products may be withdrawn from the EU market, and manufacturers face fines of up to €15 million or 2.5% of global annual turnover.
According to ONEKEY Managing Director Jan Wendenburg, "The operational phase of the Cyber Resilience Act will begin in 2026." Starting 11 June 2026, the first conformity assessment bodies (CABs) will begin checking product conformity. Wendenburg noted that manufacturers must have their "internal processes, documentation, technical evidence, and safety requirements in place by then at the latest." External conformity assessment is mandatory for products with high safety risk, including critical infrastructure components, IoT devices with high damage potential, and industrial control systems.
For building operators and procurement teams, the implications extend beyond manufacturer compliance. While the European Commission has not made certification universally mandatory at this stage, it may become de facto mandatory through procurement rules, market expectations, or national requirements. The draft revised Cybersecurity Act proposes binding timelines for developing certification schemes and expanding the European Cybersecurity Certification Framework to include a "cyber posture" scheme facilitating NIS2 compliance for entities operating across multiple Member States.
In March 2026, the European Commission published draft guidance to help companies apply the CRA, clarifying how key provisions should be interpreted and implemented. A feedback window ran through 31 March 2026.
Outlook
While the final adoption date of the revised Cybersecurity Act remains unspecified, the direction of travel is clear. The CRA and complementary regulations are advancing on parallel tracks, forming a cybersecurity resilience "stack" that will shape how companies build, sell, and operate connected technology in the EU. For building automation vendors and system integrators, the 11 September 2026 vulnerability reporting deadline represents the most immediate action point - requiring SBOM documentation, incident response procedures, and conformity assessment processes to be in place well before that date.
